Comments (7)
Thanks. I have updated the docs to use users.get(username)
which behaves correctly.
from flask-httpauth.
Hi.
I don't think 051195d is going to fix anything. We could test with this sample script:
from flask import Flask
from flask.ext.httpauth import HTTPDigestAuth
app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret key here'
auth = HTTPDigestAuth()
users = {
"john": "hello",
"susan": "bye"
}
@auth.get_password
def get_pw(username):
if username in users:
return users.get(username) # this is equivalent to users[username] in this context anyway.
return None
@app.route('/')
@auth.login_required
def index():
return "Hello, %s!" % auth.username()
if __name__ == '__main__':
app.run()
If we login with a known user name and wrong password e.g. http://john:[email protected]:5000/
, we correctly get the HTTP 401 "unauthorized access" page. However, if we login with a wrong user name e.g. http://nobody:[email protected]:5000/
, we will get an HTTP 500 page instead, which is unexpected.
The real problem is that, in lines 49–52 of flask_httpauth.py
,
password = self.get_password_callback(auth.username)
#if not password:
# return self.auth_error_callback()
if not self.authenticate(auth, password):
when the user name is invalid, password
will be None, and then in HTTPDigestAuth.authenticate()
we have
a1 = auth.username + ":" + auth.realm + ":" + password
where password
is None, which will cause TypeError because we are trying to concatenate a string with None.
from flask-httpauth.
Okay, I've finally understood the problem, and (of course) you were correct. I have fixed this and added a test for this specific condition.
Thanks!
from flask-httpauth.
Hi, I'm probing the same example (https://github.com/miguelgrinberg/Flask-HTTPAuth#digest-authentication-example), but I always get an "Unathorized Access" when I make a request.
Example:
~$ curl -v --digest -u john:hello http://127.0.0.1:5000/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 5000 (#0)
* Server auth using Digest with user 'john'
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: 127.0.0.1:5000
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 401 UNAUTHORIZED
< Content-Type: text/html; charset=utf-8
< Content-Length: 19
< WWW-Authenticate: Digest realm="Authentication Required",nonce="bd371cbdb5f144d8dcfb9557bb1de941",opaque="fe97f3f602eabfad9fbb186ca5cabb7f"
< Set-Cookie: session=.eJwly00OQDAQBtC7zNpC6Y-6jMw304lVS8JK3B2xf-8iPo91qa1KoZmgY3ICRTDnvU4qhhxCApyW7B11v28b7-cXrORko8V-KAxjzfbSKQoHYSAZ3Q8Qyh8v.BoIgfQ.HJZG1TN4BE4J_G5-XUayEnzDKOQ; HttpOnly; Path=/
< Server: Werkzeug/0.9.6 Python/3.4.1
< Date: Tue, 17 Jun 2014 18:54:53 GMT
<
* Closing connection 0
* Issue another request to this URL: 'http://127.0.0.1:5000/'
* Hostname was found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 5000 (#1)
* Server auth using Digest with user 'john'
> GET / HTTP/1.0
> Authorization: Digest username="john", realm="Authentication Required", nonce="bd371cbdb5f144d8dcfb9557bb1de941", uri="/", response="f1e03c23d2bb20db978360565e2ca80f", opaque="fe97f3f602eabfad9fbb186ca5cabb7f"
> User-Agent: curl/7.37.0
> Host: 127.0.0.1:5000
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 401 UNAUTHORIZED
< Content-Type: text/html; charset=utf-8
< Content-Length: 19
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Authentication Required",nonce="e853310af9d60336b41337e274f3f945",opaque="dd4e81a2f44b91b0d875a86d8c50db7d"
< Set-Cookie: session=.eJwlyzEOgCAMAMC_dHYAWqD4GVMoxAk0kcn4d2Pc726Qee1bH71UWKGyR7RGWtJgEEMmixiri9SwJfKw_H4ccs4vqFJlK64R5WSzUY5eOCgXbzRHhecFl8EclA.BoIgfQ.6btCp7oBk4w28CqZ5BhWO2C45PI; HttpOnly; Path=/
< Server: Werkzeug/0.9.6 Python/3.4.1
< Date: Tue, 17 Jun 2014 18:54:53 GMT
<
* Closing connection 1
What am I doing wrong?
from flask-httpauth.
The digest module requires session storage. In the default configuration
this is a cookie that Flask sends back to the client. This cookie will
have to be sent back with the request. In a production setup it would
make a lot more sense to use server-side sessions, maybe something like
Flask-KVSession.
Miguel
----- Original Message -----
From: orencio [email protected]
To: miguelgrinberg/Flask-HTTPAuth [email protected]
Cc: Miguel Grinberg [email protected]
Date: Tue, 17 Jun 2014 11:59:42 -0700
Subject: Re: [Flask-HTTPAuth] HTTPDigestAuth raise TypeError when
get_password() returns None. (#5)
Hi, I'm probing the same example (Digest authentication example of
https://github.com/miguelgrinberg/Flask-HTTPAuth), but I always get an
"Unathorized Access" when I make a request.Example:
~$ curl -v --digest -u john:hello http://127.0.0.1:5000/ * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 5000 (#0) * Server auth using Digest with user 'john' > GET / HTTP/1.1 > User-Agent: curl/7.37.0 > Host: 127.0.0.1:5000 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 401 UNAUTHORIZED < Content-Type: text/html; charset=utf-8 < Content-Length: 19 < WWW-Authenticate: Digest realm="Authentication
Required",nonce="bd371cbdb5f144d8dcfb9557bb1de941",opaque="fe97f3f602eabfad9fbb186ca5cabb7f"
< Set-Cookie:
session=.eJwly00OQDAQBtC7zNpC6Y-6jMw304lVS8JK3B2xf-8iPo91qa1KoZmgY3ICRTDnvU4qhhxCApyW7B11v28b7-cXrORko8V-KAxjzfbSKQoHYSAZ3Q8Qyh8v.BoIgfQ.HJZG1TN4BE4J_G5-XUayEnzDKOQ;
HttpOnly; Path=/
< Server: Werkzeug/0.9.6 Python/3.4.1
< Date: Tue, 17 Jun 2014 18:54:53 GMT
<
- Closing connection 0
- Issue another request to this URL: 'http://127.0.0.1:5000/'
- Hostname was found in DNS cache
- Trying 127.0.0.1...
- Connected to 127.0.0.1 (127.0.0.1) port 5000 (#1)
- Server auth using Digest with user 'john'
GET / HTTP/1.0
Authorization: Digest username="john", realm="Authentication Required",
nonce="bd371cbdb5f144d8dcfb9557bb1de941", uri="/",
response="f1e03c23d2bb20db978360565e2ca80f",
opaque="fe97f3f602eabfad9fbb186ca5cabb7f"
User-Agent: curl/7.37.0
Host: 127.0.0.1:5000
Accept: /- HTTP 1.0, assume close after body
< HTTP/1.0 401 UNAUTHORIZED
< Content-Type: text/html; charset=utf-8
< Content-Length: 19- Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Authentication
Required",nonce="e853310af9d60336b41337e274f3f945",opaque="dd4e81a2f44b91b0d875a86d8c50db7d"
< Set-Cookie:
session=.eJwlyzEOgCAMAMC_dHYAWqD4GVMoxAk0kcn4d2Pc726Qee1bH71UWKGyR7RGWtJgEEMmixiri9SwJfKw_H4ccs4vqFJlK64R5WSzUY5eOCgXbzRHhecFl8EclA.BoIgfQ.6btCp7oBk4w28CqZ5BhWO2C45PI;
HttpOnly; Path=/
< Server: Werkzeug/0.9.6 Python/3.4.1
< Date: Tue, 17 Jun 2014 18:54:53 GMT
<
- Closing connection 1
What am I doing wrong? --- Reply to this email directly or view it on GitHub: https://github.com/miguelgrinberg/Flask-HTTPAuth/issues/5#issuecomment-46350266
from flask-httpauth.
Hi,
maybe my question is not directly to this issue, but anyway. You said, that since digest module requires session storage, it would make a lot more sense to use server-side sessions. I would like still to see how it (digest auth) can be done in case of the default configuration, where this is about working with cookie that Flask sends back to client. Do you have examples how to demonstrate digest http auth, using some client like curl?
from flask-httpauth.
I don't have an example ready, but you can look at the unit test code for an example app. To use curl you do the same thing you do for basic auth, but add --digest
to make it use the digest protocol.
from flask-httpauth.
Related Issues (20)
- Critical security issue when uploading files HOT 2
- How do I make HTTPDigestAuth not use cookies? HOT 2
- Token refresh HOT 1
- Unable to change user and password for authenticate HOT 6
- Digest Auth plain-text passwords HOT 4
- __version__ is gone HOT 4
- Is there any plan to support 'qop' option? HOT 5
- Optional use of @auth.login_required HOT 2
- Custom return response on unauthorized HOT 2
- user/pwd encoding is assumed (hardcoded) to be utf-8 HOT 5
- verify_token custom error based on verification outcome HOT 1
- Customized 401 page HOT 3
- Restrict endpoint to selected auth in MultiAuth HOT 2
- Role based authentication for MultiAuth HOT 2
- Token Auth Example won't run with with itsdangerous > 2.0 HOT 1
- Flask_httpauth installation not working with pip but worked with pip3 HOT 2
- Decorator verify_token not working with changes version werkzeug 2.3.0
- Token is `None` in containerized setup HOT 16
- make setting header configurable HOT 2
- Trailing '==' in a token breaks verify_token() HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-httpauth.